Ephyr: An Architecture and Tool for Ephemeral Infrastructure Access for AI Agents

www.ephyr.ai/

https://github.com/EphyrAI/Ephyr

Hey everyone, I wanted to introduce Ephyr...because giving an autonomous agent a permanent API key or an open SSH session is pretty suboptimal.

Goal: To start, I would like to say, I'm not pitching this as a production ready, polished tool. It is a prototype. I think its ready for the selfhosted community, r/homelab and similar. But I'm really hoping to get input on the architecture and the technical approach to make sure I have no glaring holes. With that said...the tool:

Current State: If an orchestrator agent spawns a sub-agent to handle a subtask, it usually just passes down its own credentials. The Model Context Protocol (MCP) is a great transport layer, but it completely lacks a permission propagation and identity layer.

How I got here: I had actually been working on a simple access broker for SSH keys so I could use Claude Code to manage infa in my homelab (initially internal as 'Clauth'). A few weeks ago, Google DeepMind published Intelligent AI Delegation (arXiv:2602.11865), and I saw some interesting similarities.

Solution: Their paper highlighting this gap and proposing the use of Macaroons as "Delegation Capability Tokens". Ephyr is an open-source, production-ready implementation of that architecture. It sits between agent runtimes and infrastructure, replacing standing credentials with task-scoped, cryptographically attenuated Macaroons.

A few architectural decisions I thought folks might appreciate:

• Pure-Stdlib Macaroons: To minimize supply chain risk on the hot path, I dropped external macaroon libraries and wrote the HMAC-SHA256 caveat chaining from scratch using only Go's crypto/hmac and crypto/sha256. The core HMAC chain is ~300 lines of stdlib, with the full macaroon package coming in around 3,600 lines. The entire broker has exactly 3 direct dependencies. I'm actually incredibly proud of this, I wanted to be lean, efficient code to be one of the core pillars. You can literally run Ephyr on a rPi.

• The Effective Envelope Reducer: Macaroons natively prove caveat accumulation, but not semantic attenuation. Ephyr solves this with a deterministic reducer that enforces strict narrowing across delegation hops using set intersections, minimums, and boolean ANDs. The HMAC chain proves no caveats were stripped; the reducer proves the authority actually shrank. Also pairing this with task level filtering makes a powerful combo.

• Epoch Watermarking: Traditional JTI blocklists for revocation require O(N) memory growth and make cascading revocation a nightmare. Ephyr uses an Epoch Watermark map keyed by task ULID. Validation walks the token's lineage array in O(depth), meaning revoking a parent instantly kills all descendants with a single map entry. Again, incredibly fast and efficient.

• Proof-of-Possession (PoP): Because Macaroons are bearer tokens, I implemented a two-phase delegation bind to kill replay attacks. The parent creates an unbound token; the child independently generates an ephemeral Ed25519 keypair and binds its public key to the task. All subsequent requests require a PoP signature over a nonce and the request body hash.

The broker currently supports ephemeral SSH certificate issuance, HTTP credential injection, and federated MCP server routing. Performance-wise, auth takes <1ms, Macaroon verification takes ~32µs, and the full PoP pipeline runs in ~132µs.

I've included highly detailed security and identity whitepapers (in docs/whitepapers/) and a full threat model (docs/THREAT_MODEL.md) in the repository.

Caveats: I think it goes without saying in this sub, but I did use AI and agentic development tools in the process (namely CC), but I professionally I have spent most of my career in cybersec/machine learning/data science space, so I try and get in the minutia and code as much as possible. The architecture is my own, but built on fundamental building blocks and research that came before me.